From 09ddc256b1ca2ecdd7b052c555bcdeba86e7bd8e Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Tue, 28 Nov 2023 13:48:12 +0100 Subject: [PATCH] small update and rule split --- ...age_load_dll_rstrtmgr_suspicious_load.yml} | 52 ++++++++--------- .../image_load_dll_rstrtmgr_uncommon_load.yml | 56 +++++++++++++++++++ 2 files changed, 82 insertions(+), 26 deletions(-) rename rules/windows/image_load/{image_load_dll_rstrtmgr_susp_load.yml => image_load_dll_rstrtmgr_suspicious_load.yml} (56%) create mode 100644 rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_susp_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml similarity index 56% rename from rules/windows/image_load/image_load_dll_rstrtmgr_susp_load.yml rename to rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index fa26eb9683d..e5cb6848469 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -1,17 +1,20 @@ -title: Load Of RstrtMgr DLL From Suspicious Process +title: Load Of RstrtMgr.DLL By A Suspicious Process id: b48492dc-c5ef-4572-8dff-32bc241c15c8 +related: + - id: 3669afd2-9891-4534-a626-e5cf03810a61 + type: derived status: experimental description: | - Detects the load of RstrtMgr DLL (Restart Manager) by suspicious processes. + Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This librairy has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (Conti Ransomware, Cactus Ransomware). It has also been seen recently in the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. references: + - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ - https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux -date: 2023/11/22 -modified: 2023/11/22 +date: 2023/11/28 tags: - attack.impact - attack.defense_evasion @@ -21,30 +24,27 @@ logsource: category: image_load product: windows detection: - selection: + selection_img: - ImageLoaded|endswith: '\RstrtMgr.dll' - OriginalFileName: 'RstrtMgr.dll' - filter_explorer: - Image: 'C:\Windows\explorer.exe' - filter_system32: - Image|startswith: 'C:\Windows\System32\' - Image|endswith: - - '\msiexec.exe' - - '\taskhostw.exe' - filter_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_software_installation: - Image|startswith: 'C:\Users\' - Image|contains|all: - - '\AppData\Local\Temp\is-' - - '.tmp\' - Image|endswith: '.tmp' - condition: selection and not 1 of filter* -fields: - - Image - - ProcessGuid + selection_folders_1: + Details|contains: + # Note: increase coverage by adding more suspicious paths + - ':\Perflogs\' + - ':\Users\Public\' + - '\Temporary Internet' + selection_folders_2: + - Details|contains: + - ':\Users\' + - '\Favorites\' + - Details|contains: + - ':\Users\' + - '\Favourites\' + - Details|contains: + - ':\Users\' + - '\Contacts\' + condition: selection_img and 1 of selection_folders_* falsepositives: - Other legitimate Windows processes not currently listed - Processes related to software installation -level: medium +level: high diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml new file mode 100644 index 00000000000..6f487f66466 --- /dev/null +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -0,0 +1,56 @@ +title: Load Of RstrtMgr.DLL By An Uncommon Process +id: 3669afd2-9891-4534-a626-e5cf03810a61 +related: + - id: b48492dc-c5ef-4572-8dff-32bc241c15c8 + type: derived +status: experimental +description: | + Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. + This librairy has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (Conti Ransomware, Cactus Ransomware). It has also been seen recently in the BiBi wiper for Windows. + It could also be used for anti-analysis purposes by shut downing specific processes. +references: + - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ + - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ + - https://www.swascan.com/cactus-ransomware-malware-analysis/ + - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html +author: Luc Génaux +date: 2023/11/28 +tags: + - attack.impact + - attack.defense_evasion + - attack.t1486 + - attack.t1562.001 +logsource: + category: image_load + product: windows +detection: + selection: + - ImageLoaded|endswith: '\RstrtMgr.dll' + - OriginalFileName: 'RstrtMgr.dll' + filter_main_generic: + Image|contains: + - ':\$WINDOWS.~BT\' + - ':\$WinREAgent\' + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\ProgramData\' + - ':\Windows\explorer.exe' + - ':\Windows\SoftwareDistribution\' + - ':\Windows\SysNative\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + - ':\Windows\WinSxS\' + - ':\WUDownloadCache\' + filter_main_user_software_installations: + Image|contains|all: + - ':\Users\' + - '\AppData\Local\Temp\is-' + - '.tmp\' + Image|endswith: '.tmp' + filter_main_admin_software_installations: + Image|contains: ':\Windows\Temp\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Other legitimate Windows processes not currently listed + - Processes related to software installation +level: low